Discussion:
Bug#1091885: bookworm-pu: package audiofile/0.3.6-5+deb12u1
Add Reply
Moritz Muehlenhoff
2025-01-01 22:00:01 UTC
Reply
Permalink
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: ***@packages.debian.org, debian-***@lists.debian.org
Control: affects -1 + src:audiofile
User: ***@packages.debian.org
Usertags: pu

Fixes two minor security issues not worth a DSA,
debdiff below.

Cheers,
Moritz

diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog
--- audiofile-0.3.6/debian/changelog 2019-04-05 16:13:16.000000000 +0200
+++ audiofile-0.3.6/debian/changelog 2025-01-01 17:42:41.000000000 +0100
@@ -1,3 +1,10 @@
+audiofile (0.3.6-5+deb12u1) bookworm; urgency=medium
+
+ * CVE-2022-24599 (Closes: #1008017)
+ * CVE-2019-13147 (Closes: #931343)
+
+ -- Moritz Mühlenhoff <***@debian.org> Wed, 01 Jan 2025 17:42:41 +0100
+
audiofile (0.3.6-5) unstable; urgency=medium

* Team upload.
diff -Nru audiofile-0.3.6/debian/patches/13-Fix-CVE-2022-24599.patch audiofile-0.3.6/debian/patches/13-Fix-CVE-2022-24599.patch
--- audiofile-0.3.6/debian/patches/13-Fix-CVE-2022-24599.patch 1970-01-01 01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/13-Fix-CVE-2022-24599.patch 2025-01-01 17:41:31.000000000 +0100
@@ -0,0 +1,89 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <***@debian.org>
+Date: Sat, 11 Nov 2023 15:58:50 +0000
+Subject: Fix CVE-2022-24599
+
+Memory-leak bug in printfileinfo, due to memcpy on an non allocated memory buffer
+with a user declared string.
+
+Fix it by calloc(declaredsize+1,1) that zeros the buffer and terminate by '\0'
+for printf
+
+Avoid also a buffer overflow by refusing to allocating more than INT_MAX-1.
+
+Before under valgrind:
+libtool --mode=execute valgrind --track-origins=yes ./sfinfo heapleak_poc.aiff
+
+Duration -inf seconds
+==896222== Invalid read of size 1
+==896222== at 0x4846794: strlen (vg_replace_strmem.c:494)
+==896222== by 0x49246C8: __printf_buffer (vfprintf-process-arg.c:435)
+==896222== by 0x4924D90: __vfprintf_internal (vfprintf-internal.c:1459)
+==896222== by 0x49DE986: __printf_chk (printf_chk.c:33)
+==896222== by 0x10985C: printf (stdio2.h:86)
+==896222== by 0x10985C: printfileinfo (printinfo.c:134)
+==896222== by 0x10930A: main (sfinfo.c:113)
+==896222== Address 0x4e89bd1 is 0 bytes after a block of size 1 alloc'd
+==896222== at 0x48407B4: malloc (vg_replace_malloc.c:381)
+==896222== by 0x109825: copyrightstring (printinfo.c:163)
+==896222== by 0x109825: printfileinfo (printinfo.c:131)
+==896222== by 0x10930A: main (sfinfo.c:113)
+==896222==
+Copyright C
+
+After:
+Duration -inf seconds
+Copyright C
+
+forwarded: https://github.com/mpruett/audiofile/issues/60
+bug: https://github.com/mpruett/audiofile/issues/60
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008017
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2022-24599
+---
+ sfcommands/printinfo.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/sfcommands/printinfo.c b/sfcommands/printinfo.c
+index 60e6947..f5cf925 100644
+--- a/sfcommands/printinfo.c
++++ b/sfcommands/printinfo.c
+@@ -37,6 +37,7 @@
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <limits.h>
+
+ static char *copyrightstring (AFfilehandle file);
+
+@@ -147,7 +148,11 @@ static char *copyrightstring (AFfilehandle file)
+ int i, misccount;
+
+ misccount = afGetMiscIDs(file, NULL);
+- miscids = (int *) malloc(sizeof (int) * misccount);
++ if(!misccount)
++ return NULL;
++ miscids = (int *) calloc(misccount, sizeof(int));
++ if(!miscids)
++ return NULL;
+ afGetMiscIDs(file, miscids);
+
+ for (i=0; i<misccount; i++)
+@@ -159,13 +164,16 @@ static char *copyrightstring (AFfilehandle file)
+ If this code executes, the miscellaneous chunk is a
+ copyright chunk.
+ */
+- int datasize = afGetMiscSize(file, miscids[i]);
+- char *data = (char *) malloc(datasize);
++ size_t datasize = afGetMiscSize(file, miscids[i]);
++ if(datasize >= INT_MAX -1 ) {
++ goto error;
++ }
++ char *data = (char *) calloc(datasize + 1, 1);
+ afReadMisc(file, miscids[i], data, datasize);
+ copyright = data;
+ break;
+ }
+-
++error:
+ free(miscids);
+
+ return copyright;
diff -Nru audiofile-0.3.6/debian/patches/14-Partial-fix-of-CVE-2019-13147.patch audiofile-0.3.6/debian/patches/14-Partial-fix-of-CVE-2019-13147.patch
--- audiofile-0.3.6/debian/patches/14-Partial-fix-of-CVE-2019-13147.patch 1970-01-01 01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/14-Partial-fix-of-CVE-2019-13147.patch 2025-01-01 17:41:31.000000000 +0100
@@ -0,0 +1,43 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <***@debian.org>
+Date: Sat, 11 Nov 2023 17:42:03 +0000
+Subject: Partial fix of CVE-2019-13147
+
+This fix the symptom do not allow to allocate negative memory:
+==129695==WARNING: AddressSanitizer failed to allocate 0xffffffffc2c00000 bytes
+==129695==AddressSanitizer's allocator is terminating the process instead of returning 0
+==129695==If you don't like this behavior set allocator_may_return_null=1
+==129695==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
+ #0 0x7f48c8503c02 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02)
+ #1 0x7f48c8522595 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595)
+ #2 0x7f48c8509342 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xef342)
+ #3 0x7f48c8441e46 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27e46)
+ #4 0x7f48c84f8b1a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb1a)
+ #5 0x558dc209af68 in copyaudiodata /home/tim/audiofile-santi/sfcommands/sfconvert.c:327
+ #6 0x558dc209a620 in main /home/tim/audiofile-santi/sfcommands/sfconvert.c:248
+ #7 0x7f48c7d38b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
+ #8 0x558dc209ac79 in _start (/home/tim/audiofile-santi/sfcommands/.libs/sfconvert+0x1c79)
+
+If negative bail out
+
+bug: https://github.com/mpruett/audiofile/issues/54
+forwarded: https://github.com/mpruett/audiofile/issues/54
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2019-13147
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931343
+---
+ sfcommands/sfconvert.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
+index 367f7a5..400d485 100644
+--- a/sfcommands/sfconvert.c
++++ b/sfcommands/sfconvert.c
+@@ -349,7 +349,8 @@ void printversion (void)
+ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
+ {
+ int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
+-
++ if(frameSize <= 0)
++ return false;
+ int kBufferFrameCount = 65536;
+ int bufferSize;
+ while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
diff -Nru audiofile-0.3.6/debian/patches/15-Partial-fix-of-CVE-2019-13147.patch audiofile-0.3.6/debian/patches/15-Partial-fix-of-CVE-2019-13147.patch
--- audiofile-0.3.6/debian/patches/15-Partial-fix-of-CVE-2019-13147.patch 1970-01-01 01:00:00.000000000 +0100
+++ audiofile-0.3.6/debian/patches/15-Partial-fix-of-CVE-2019-13147.patch 2025-01-01 17:41:31.000000000 +0100
@@ -0,0 +1,43 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <***@debian.org>
+Date: Sat, 11 Nov 2023 17:43:19 +0000
+Subject: Partial fix of CVE-2019-13147
+
+This is the fix of the POC. Do not allow too many channel
+
+Now it fail with:
+Audio File Library: invalid file with 1633771873 channels [error 15]
+Could not open file 'poc' for reading.
+
+bug: https://github.com/mpruett/audiofile/issues/54
+forwarded: https://github.com/mpruett/audiofile/issues/54
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2019-13147
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931343
+---
+ libaudiofile/NeXT.cpp | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libaudiofile/NeXT.cpp b/libaudiofile/NeXT.cpp
+index c462dbe..01c967c 100644
+--- a/libaudiofile/NeXT.cpp
++++ b/libaudiofile/NeXT.cpp
+@@ -32,6 +32,7 @@
+ #include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+
+ #include "File.h"
+ #include "Setup.h"
+@@ -122,6 +123,12 @@ status NeXTFile::readInit(AFfilesetup setup)
+ _af_error(AF_BAD_CHANNELS, "invalid file with 0 channels");
+ return AF_FAIL;
+ }
++ /* avoid overflow of INT for double size rate */
++ if (channelCount > (INT32_MAX / (sizeof(double))))
++ {
++ _af_error(AF_BAD_CHANNELS, "invalid file with %i channels", channelCount);
++ return AF_FAIL;
++ }
+
+ Track *track = allocateTrack();
+ if (!track)
diff -Nru audiofile-0.3.6/debian/patches/series audiofile-0.3.6/debian/patches/series
--- audiofile-0.3.6/debian/patches/series 2019-04-05 16:10:40.000000000 +0200
+++ audiofile-0.3.6/debian/patches/series 2025-01-01 17:42:28.000000000 +0100
@@ -10,3 +10,6 @@
10_Check-for-division-by-zero-in-BlockCodec-runPull.patch
11_CVE-2018-13440.patch
12_CVE-2018-17095.patch
+13-Fix-CVE-2022-24599.patch
+14-Partial-fix-of-CVE-2019-13147.patch
+15-Partial-fix
Debian Bug Tracking System
2025-01-01 22:00:02 UTC
Reply
Permalink
Post by Moritz Muehlenhoff
affects -1 + src:audiofile
Bug #1091885 [release.debian.org] bookworm-pu: package audiofile/0.3.6-5+deb12u1
Added indication that 1091885 affects src:audiofile
--
1091885: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091885
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Adam D Barratt
2025-01-02 21:40:02 UTC
Reply
Permalink
package release.debian.org
tags 1091885 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: audiofile
Version: 0.3.6-5+deb12u1

Explanation: fix null pointer dereference issue [CVE-2019-13147]; fix information leak issue [CVE-2022-24599]
Debian Bug Tracking System
2025-01-11 11:20:15 UTC
Reply
Permalink
Your message dated Sat, 11 Jan 2025 11:03:08 +0000
with message-id <E1tWZGm-009jXK-***@coccia.debian.org>
and subject line Close 1091885
has caused the Debian Bug report #1091885,
regarding bookworm-pu: package audiofile/0.3.6-5+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
1091885: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091885
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...